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AN APPARATUS AND METHOD FOR ENABLING 
SECURE CONTENT DECRYPTION WITHIN A SET-TOP BOX 

FIELD OF THE INVENTION 

[0001] The invention relates generally to the field of set-top boxes. More 

particularly, the invention relates to a method and apparatus for enabling secure content 
decryption within a set-top box. 

BACKGROUND OF THE INVENTION 

[0002] Broadcast systems traditionally transmit content from a broadcast server 

system to a plurality of client systems. Users of the client systems consume the content 
received from the broadcast server system as broadcast using, for example, a set-top 
box. For instance, cable television providers commonly broadcast the same movies 
repeatedly on multiple channels at staggered intervals. As such, users of the client 
systems, or set-top boxes, typically consume the content signals received from the 
server as they are broadcast. However, such broadcasts generally have the capability to 
generate additional revenues by broadcasting content, which is offered to users at a 
predetermined fee, which is normally referred as viewing on a pay-per-view basis, but 
also includes viewing via a subscription basis. 

[0003] Unfortunately, when broadcasting premium content to client systems 

(e.g., Pay-Per-View, HBO, Showtime, etc.), the broadcast systems must ensure that 
premium content is not captured or pirated by client set-top boxes. As such, the 
broadcast systems traditionally transmit content in an encrypted format, which is 
streamed to the client set-top boxes. As a result, the client set-top boxes must include 
content decryption capability in order to enable playback of the content to users. In 
addition, current set-top boxes also include the capability to capture premium content, 
which is stored and may be viewed by a user at a later time using content playback 
capability of the set-top box. Accordingly, in such a set-top box environment, it is vital 
to prevent exposure of clear content on the set-top box, which may be pirated by a user. 

[0004] Consequently, current decrypt solutions in the field labor at complying 

with industry standards robustness rules for avoiding exposure of clear content on a set- 
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top box. Fortunately, avoiding exposure of clear content on a set-top is facilitated 
when a set-top box runs a proprietary operating system and a non-standard software 
architecture. Unfortunately, as we move into more advanced set-top box environments, 
operating systems utilized by the set-top boxes are becoming standardized. In addition, 
software environments and architectures running on these advanced set -top boxes are 
also becoming standardized. Consequently, this openness, or open system, facilitates 
development of features on set-top boxes, however, presents various challenges from a 
security standpoint. 

[0005] Therefore, there remains a need to overcome one or more of the 

limitations in the above-described, existing art. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0006] The present invention is illustrated by way of example, and not by way 

of limitation, in the figures of the accompanying drawings and in which: 

[0007] FIG. 1 depicts a block diagram illustrating a broadcast service system as 

known in the art. 

[0008] FIG. 2 depicts a block diagram illustrating a computer system 

representative of a client within the broadcast service system as depicted in FIG. 1 in 
accordance with an embodiment of the present invention. 

[0009] FIG. 3 depicts a block diagram illustrating a content playback interface 

of the client computer as depicted in FIG. 2 in accordance with a further embodiment 
of the present invention. 

[0010] FIG. 4 depicts a block diagram illustrating a broadcast service system 

utilizing client computers configured as depicted in FIGS. 3 and 4 in accordance with 
an exemplary embodiment of the present invention. 

[0011] FIG. 5 depicts a flowchart illustrating a method for enabling secure 

content decryption within a set-top box in accordance with an embodiment of the 
present invention. 

[0012] FIG. 6 depicts a flowchart illustrating an additional method for 

performing security authentication in accordance with a further embodiment of the 
present invention. 

[0013] FIG. 7 depicts a flowchart illustrating an additional method for 

performing run-time integrity verification in accordance with a further embodiment of 
the present invention. 

[0014] FIG. 8 depicts a flowchart illustrating an additional method for 

performing security authentication in accordance with a further embodiment of the 
present invention. 
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[0015] FIG. 9 depicts a flowchart illustrating an additional method for 

performing run-time integrity verification in accordance with a further embodiment of 
the present invention. 

[0016] FIG. 10 depicts a flowchart illustrating a method for initialization of a 

content decryption component in accordance with an exemplary embodiment of the 
present invention. 

[0017] FIG. 11 depicts a method for authenticating a secure content drive in 

order to receive clear, decrypted content in accordance with an embodiment of the 
present invention. 

[0018] FIG. 12 depicts a flowchart illustrating an additional method for 

performing security authentication in accordance with a further embodiment of the 
present invention. 

[0019] FIG. 13 depicts a flowchart illustrating an additional method for the 

receipt of a stream of encrypted content in accordance with an exemplary embodiment 
of the present invention. 
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DETAILED DESCRIPTION 

[0020] The present invention describes an apparatus and method for enabling 

secure content decryption within a set-top box. The method includes performance of 
security authentication of a content driver by a content decryption component. Security 
authentication is performed in order to verify an identity of the content driver as a 
secure content driver. Next, the content decryption component receives an encrypted 
content stream from the secure content driver. Once received, the content decryption 
component performs integrity authentication of a run-time image of the secure content 
driver. Finally, while integrity authentication of the secure content driver is verified, 
the content decryption component streams decrypted content to the secure content 
driver to enable playback of the decrypted content to a user. 

[0021] The method also includes establishment of security authentication from 

a content decryption component to verify a content driver as the secure content driver. 
Once verified, the secure content driver receives access to a callback function in order 
to receive clear, decrypted content streams from the content decryption component. 
Next, the secure content driver receives a stream of encrypted content. The content 
driver then streams the encrypted content to the content decryption component. 
Finally, assuming the secure content driver is successfully authenticated, the secure 
content driver receives clear, decrypted content from the content decryption component 
via the received callback function. 

[0022] In the following description, for the purposes of explanation, numerous 

specific details are set forth in order to provide a thorough understanding of the present 
invention. It will be apparent, however, to one skilled in the art that the present 
invention may be practiced without some of these specific details. In addition, the 
following description provides examples, and the accompanying drawings show 
various examples for the purposes of illustration. However, these examples should not 
be construed in a limiting sense as they are merely intended to provide examples of the 
present invention rather than to provide an exhaustive list of all possible 
implementations of the present invention. In other instances, well-known structures 
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and devices are shown in block diagram form in order to avoid obscuring the details of 
the present invention. 

[0023] In an embodiment, the methods of the present invention are embodied in 

machine-executable instructions. The instructions can be used to cause a general- 
purpose or special-purpose processor that is programmed with the instructions to 
perform the steps of the present invention. Alternatively, the steps of the present 
invention might be performed by specific hardware components that contain hardwired 
logic for performing the steps, or by any combination of programmed computer 
components and custom hardware components. 

[0024] The present invention may be provided as a computer program product 

which may include a machine-readable medium having stored thereon instructions 
which may be used to program a computer (or other electronic devices) to perform a 
process according to the present invention. The machine-readable medium may 
include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disc, 
read-only memory), and magneto-optical disks, ROMs (read-only memory), RAMs 
(random access memory), EPROMs (erasable programmable read-only memory), 
EEPROMs (electrically erasable programmable read-only memory), magnet or optical 
cards, flash memory, or other type of media / machine-readable medium suitable for 
storing electronic instructions. Moreover, the present invention may also be 
downloaded as a computer program product. As such, the program may be transferred 
from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way 
of data signals embodied in a carrier wave or other propagation medium via a 
communication link (e.g., a modem or network connection). 

System Architecture 

[0025] FIG. 1 is an illustration of one embodiment of a conventional broadcast 

service system 100, as known to those skilled in the art. The broadcast service system 
100 includes a server 102 configured to broadcast encrypted content 130 to a plurality 
of clients 104 (104-1, . . ., 104-N) via antenna 1 10. The clients 105 receive a broadcast 
of the encrypted content from server 102 through a plurality of links 120 (120-1, 
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120-2, . . ., 120-N) from a broadcast antenna 1 10. Unfortunately, links 120 are uni- 
directional wireless radio frequency (RF) links from broadcast antenna 110. 

[0026] In one embodiment, the broadcast service system 100 broadcasts the 

encrypted content 130 via the network 140 which provides a capability for enabling 
users of the client systems 104 to provide feedback to broadcasters with regard to 
programming. The format of such broadcasts is, for example but not limited to, known 
amplitude modification (AM) or frequency modification (FM) radio signals, television 
(TV) signals, digital video broadcasts (DVB) signals, advanced television systems 
committee (ATSC) signals, or the like, which are broadcast through the atmosphere. In 
addition, transmission of encrypted content via the network 140 is accomplished by 
conventional means, such as, for example, transmission control protocol (TCP)/Internet 
protocol (TCP/IP). 

[0027] Accordingly, the broadcast server may transmit encrypted content via 

broadcast antenna 1 10 or via the network 140 using, for example, TCP/IP. The 
encrypted content 130 may include, for example, any combination of a number of 
different types of content including for example video, audio, graphics, text, multi- 
media or the like. For purposes of explanation, many of the examples provided in this 
disclosure assume that the content to be transmitted by the server 102 are audio/video 
files, such as for example movies with moving images and sound. 

[0028] However, it will be appreciated that the content transmitted in 

accordance with the teachings of the present invention is not limited only to 
audio/video files. As described above, content, as contemplated by the present 
invention includes any combination of, for example, video, audio, graphics, text, multi- 
media or the like. In one embodiment, network 140 may be any type of 
communications network through which a plurality of different devices may 
communicate such as, but not limited to, the Internet, a wide area network (WAN), a 
local area network (LAN), an Intranet, an Extranet or the like. 

[0029] FIG. 2 is a block diagram illustrating one embodiment of a machine 200 

that may be used for the clients 104 in accordance with the teachings of the present 
invention. The machine 200 is, for example, a computer or a set top box that includes a 
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processor 202 coupled to a bus 206. The machine 200 includes a memory 204, a 
storage 210, a display controller 208, a communications interface 218, a content play- 
back interface 300, an input/output controller 212 and an audio controller 220 are also 
coupled to bus 206. 

[0030] In one embodiment, machine 200 interfaces to external systems through 

communications interface 218. Communications interface 218 may include, for 
example, a radio transceiver compatible with AM, FM, TV, digital TV, DVB, ATSC, 
wireless telephone signals or the like. Communications interface 218 may also include, 
for example, an analog modem, Integrated Services Digital Network (ISDN) modem, 
cable modem, Digital Subscriber Line (DSL) modem, a T-l line interface, a T-3 line 
interface, an optical carrier interface (e.g. OC-3), token ring interface, satellite 
transmission interface, a wireless interface or other interfaces for coupling a device to 
other devices. 

[0031] A carrier wave signal 230 including, for example, encrypted content 130 

may be received by communications interface 218 from antenna 1 10. In addition, a 
signal 240 may be received/transmitted between communications interface and network 
140 including, for example, the encrypted content 130 as well as content meta-data, 
user response and data, or the like. The signal 240 may also be used to interface 
machine 200 with another computer system, a network hub, router or the like. The 
carrier wave signal 230 is, for example, considered to be machine readable media, 
which may be transmitted through wires, cables, optical fibers or through the 
atmosphere, or the like. 

[0032] The processor 202 may be a conventional microprocessor, such as, for 

example, but not limited to an Intel x86 or Pentium family microprocessor, a Motorola 
family microprocessor, or the like. Memory 204 may be a machine readable medium 
such as dynamic random access memory (DRAM) and may include static random 
access memory (SRAM). Display controller 208 controls, in a conventional manner, a 
display 216, which may be a cathode ray tube (CRT), a liquid crystal display (LCD), an 
active matrix display, a television monitor or the like. 
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[0033] The input/output device 214 coupled to input/output controller 212 may 

be, for example, a keyboard, disk drive, printer, scanner and other input and output 
devices, including a television remote, mouse, trackball, trackpad, joystick, or the like. 
In one embodiment, audio controller 222 controls in a conventional manner audio 
output 224, which may include for example audio speakers, headphones, an audio 
receiver, amplifier or the like. In addition, the audio controller may also control, in a 
conventional manner, audio input 229, which may include for example a microphone or 
input(s) from an audio or musical device, or the like. 

[0034] The storage 210 may, for example, include machine readable media 

such as for example but not limited to a magnetic hard disk, a floppy disk, an optical 
disk, a smart card or another form of storage for data. Alternatively, the storage 210 
may include, for example, removable media, read-only media, readable/writable media 
or the like. Some of the data may, for example, be written by a direct memory access 
process into memory 204 during execution of software in computer system 201. It is 
appreciated that software may reside in storage 210, memory 204 or may be transmitted 
or received via modem or the communications interface. 

[0035] For the purposes of the specification, the term "machine readable 

medium" shall be taken to include any medium that is capable of storing data, 
information or encoding a sequence of instructions for execution by processor 202 to 
cause processor 202 to perform the methodologies of the present invention. The term 
"machine readable medium" shall be taken to include, but is not limited to solid-state 
memories, optical and magnetic disks, carrier wave signals, and the like. 

[0036] The machine 200 further includes a content playback interface 300, 

which receives the encrypted content stream 130 from the communications interface 
218 via the bus 206. The content playback interface 300 is further illustrated with 
reference to FIG. 3. The content playback interface 300 includes a playback user 
interface (UI) 302 which enables a user to provide a request for playback of received 
content that is contained within an application user space 316. The playback interface 
300 includes a content transfer at block 304 that interfaces with the communications 
interface 218 in order to receive the encrypted content stream 130. Once received, the 
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encrypted content stream may be stored in a content storage device 306. Alternatively, 
the encrypted content is stored within the storage 210 or the memory 204. 

[0037] Accordingly, when the playback user interface 302 receives a request 

for playback of content, a content source file reader 308 selects the requested content 
from the content storage device 306. The selected encrypted content 130 is provided to 
a content reader interface 310. Once received, the content reader interface 310 
provides the encrypted content stream 130 to a secure content driver 320. Once 
provided, the content reader interface 310 directs the secure content driver 320, via 
filter switch 312, to stream the encrypted content to a content decryption component 
330 in order to decrypt the received content. 

[0038] However, in order for the secure content driver 320 to receive decrypted 

content from the content decryption component 330, the secure content driver 320 must 
achieve successful security authentication at start-up from the content decryption 
component 330, which are located within a kernel application space 318. Accordingly, 
the content decryption component 330 resides in a secure, tamper-resistant software 
(TRS) environment in order to obfuscate the process of decrypting encrypted content 
streams 130 received from the secure content driver 320. As such, during start-up of 
the content playback interface 300, the secure content driver 320 registers with the 
content decryption component 330 in order to receive security identity authentication. 

[0039] In one embodiment, identity authentication is provided using the public 

key infrastructure. As known to those skilled in the art, the public key infrastructure 
(PKI) enables users of unsecure public networks, such as the Internet, to securely and 
privately exchange data and money through the use of a public and a private 
cryptographic key pair that is obtained and shared through a trusted authority. The 
public key infrastructure provides for a digital certificate that can identify an individual 
or an organization and directory of services that can store, and when necessary, revoke 
the certificates. 

[0040] As such, the content decryption component 330 may, in one 

embodiment, authenticate the identity of the secure content driver 320 utilizing a digital 
certificate issued to the secure content driver 320. In addition, the content decryption 
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component 330 must also authenticate integrity of a static image of the secure content 
driver 320. This is, for example, accomplished using, in one embodiment, a digital 
signature of a static image of the secure content driver 320 prior to loading the secure 
content driver within memory 204. Accordingly, using a digital signature of a static 
image of the secure content driver 320, the content decryption component 330 may 
compute a hash value of a static image of the secure content driver. Once computed, 
the content decryption component 330 verifies that the computed hash value matches a 
static hash value contained within the digital signature of the secure content driver 320. 

[0041] In a further embodiment, the content decryption component 330 also 

provides for run-time integrity authentication of the secure content driver 320 utilizing 
a pre-stored run-time digital signature of the secure content driver 320. In this 
embodiment, the content decryption component 330 generates a hash value of code 
segments that perform the functionality of the secure content driver 320 while loaded in 
memory. Next, the computed hash value is compared with a run-time hash value 
contained within the run-time digital signature. Consequently, the various security 
constraints utilized by the content decryption component 330 enable security 
verification of the content driver 320. 

[0042] Accordingly, once security authentication is completed, the secure 

content driver 320 receives clear, decrypted content via a callback function 332 
provided to the secure content driver 320. However, the various security constraints 
taught by the present invention do not cause current playback solutions to be modified 
in any way. Due to the fact that there is a given content player (content source reader 
file reader 308 and content media interface 3 10), no changes need to be made to the 
application user space 316 of current set-top boxes. As a result, the present invention 
requires modification of the kernel application space 318 for registering a secure 
content driver 320 with a tamper-resistant content decryption component 330. 

[0043] Referring now to FIG. 4, FIG. 4 depicts a broadcast service system 350 

utilizing clients 352 (352-1, 352-2, . . ., 352-N), each configured as, for example, a set- 
top box as depicted in FIG. 2 utilizing a content playback interface 300 as depicted in 
FIG. 3. Accordingly, a server of the broadcast system 350 may broadcast or transmit 
encrypted content via broadcast antenna 1 10 or network 140 to the various clients 352. 

11 



42390P11869 



Express Mail No.: EM0140671 18US 



As such, the various clients will receive the encrypted content 130 via communications 
interface 218. 

[0044] Consequently, when a user desires playback of received content, the 

content playback interface 300 will decrypt the received encrypted content 130 using a 
content decryption component 330 and a secure content driver 320. As a result, 
utilizing the teachings of the present invention, a broadcast service system 350 prevents 
unauthorized use or display of clear content, which may be pirated by users of the set- 
top box. Procedural methods for implementing the teachings of the present invention 
are now described. 

Operation 

[0045] Referring now to FIG. 5, FIG. 5 depicts a flowchart illustrating a 

method 400 for enabling secure, dynamic content decryption on a set-top box, for 
example, within the broadcast service system 350 as depicted in FIG. 4. At process 
block 416, a content decryption component 330 performs security authentication of a 
content driver to verify authenticity of the content driver as a secure content driver 320. 
Next, at process block 436, the content decryption component 330 receives a stream of 
encrypted content 130 from the secure content driver 320. Once received, process 
block 438 is performed. At process block 438, the content decryption component 330 
performs integrity authentication of a run-time image of the secure content driver 320. 

[0046] Consequently, once integrity of the run-time image of the secure content 

driver 320 is authenticated, process block 470 is performed. Otherwise, the method 
400 terminates. At process block 470, the content decryption component 330 streams 
decrypted content to the secure content driver 320. Finally, at process block 472, it is 
determined whether encrypted content continues to be received by the content 
decryption component 330. Accordingly, process blocks 438-470 are repeated while 
encrypted content is streamed to the content decryption component 330. Once 
encrypted content is not longer received, the process terminates. 

[0047] Referring now to FIG. 6, FIG. 6 depicts a flowchart illustrating an 

additional method 418 for performing security authentication of process block 416 as 
depicted in FIG. 5. At process block 420, the content decryption component 330 
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locates authorization information of the secure content driver 320. In one embodiment, 
the authorization information is a digital certificate issued to the secure content driver 
320. At process block 422, the content decryption component 330 decrypts the 
authorization information received from the secure content driver 320. 

[0048] In the embodiment described, a digital certificate received as the 

authorization information is decrypted using a public key of the secure content driver 
320. Once decrypted, process block 424 is performed. At process block 420, it is 
determined whether an identity of the secure content driver 320 is authenticated based 
on the decrypted authorization information. When the content decryption component 
330 fails to authenticate an identity of the secure content driver 320, the method 
terminates. Otherwise, process block 426 is performed. 

[0049] At process block 426, the content decryption component 330 provides 

the secure content driver 320 with access to a callback function 332. As such, once the 
secure content driver 320 has access to the callback function 332, the secure content 
driver may receive clear, decrypted content from the content decryption component 330 
via the callback function. Otherwise, regardless of whether the secure content driver 
320 streams encrypted content to the content decryption component 330, unless the 
secure content driver 320 has access to the callback function 332, the secure content 
driver 320 cannot receive the clear content. Once access to the callback function is 
received, control flow returns to process block 416, as depicted in FIG. 5. 

[0050] Referring now to FIG. 7, FIG. 7 depicts an additional method 440 for 

performing run-time integrity authentication of process block 438, as depicted in FIG. 
5. At process block 442, the content decryption component 330 calculates a hash value 
of a static image of the secure content driver 320. As described herein, the term "static 
image" refers to program instructions that perform the functionality of the secure 
content driver prior to loading of the program instructions within memory or at run- 
time. In one embodiment, hash values utilized by the present invention are calculated 
using the Rivas-Shamir-Adelman (RSA) authentication system. Once calculated, 
process block 444 is performed. 
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[0051] At process block 444, the content decryption component 330 selects a 

stored digital signature of the static image of the secure content driver 330. Next, at 
process block 446, the content decryption component 330 decrypts the stored digital 
signature of the static image to retrieve a pre-calculated hash value of the static image. 
Next, at process block 448, it is determined whether the calculated hash value matches 
the pre-calculated hash value. When the hash values match, process block 450 is 
performed. Otherwise, the process terminates. At process block 450, the content 
decryption component notifies the secure content driver 330 of successful security 
authentication. Next, control flow progresses to process block 454 of the method 452, 
as depicted in FIG. 9. 

[0052] Referring now to FIG. 8, FIG. 8 depicts a flowchart illustrating an 

additional method 428 for performing security authentication of process block 416, as 
depicted in FIG. 5. At process block 430, it is determined whether an identity of the 
secure content driver 320 is authenticated. Once authenticated, process block 432 is 
performed. Otherwise, the method terminates. At process block 432, the content 
decryption component 330 determines a run-time memory location wherein the content 
driver 320 is loaded once executed by the content playback interface 300. Finally, at 
process block 434, the content decryption component establishes a function entry point 
322 from the secure content driver 320 in order to receive the stream of encrypted 
content from the secure content driver 320. Once established, control flow returns to 
process block 416, as depicted in FIG. 5. 

[0053] Referring now to FIG. 9, FIG. 9 depicts a flowchart illustrating an 

additional method 452 for performing run-time integrity authentication of process 
block 438, as depicted in FIG. 5. At process block 454, the content decryption 
component 330 decrypts the encrypted content stream 130 received from the secure 
content driver 320. Next, at process block 456, the content decryption component 
calculates a hash value of code segments that perform functionality of the secure 
content driver 320 while loaded in memory. Once calculated, process block 458 is 
performed. At process block 458, the content decryption component selects a stored 
run-time digital signature of a run-time image of the secure content driver. 
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[0054] As described herein, the term "run-time image' refers to program 

instructions that perform the functionality of the secure content driver 320 when loaded 
in memory. As such, the run-time image consists of the program instructions loaded in 
memory to perform the functionality of the secure content driver 320. Once selected, 
process block 460 is performed. At process block 460, the content decryption 
component 330 decrypts the selected digital signature to reveal a run- time hash value 
of a run-time image of the secure content driver 320. Finally, at process block 462, it is 
determined whether the calculated hash value matches the run-time hash value. When 
the hash values match, control flows to process block 470, as depicted in FIG. 5. 
Otherwise, the method terminates. 

[0055] Referring now to FIG. 10, FIG. 10 depicts a flowchart illustrating a 

method 402 for initialization of the content decryption component 330 in accordance 
with an exemplary embodiment of the present invention. At process block 404, it is 
determined whether the content decryption component 330 has received a content 
decryption key 314. The content decryption key 314 enables the content decryption 
component to decrypt received encrypted content streams. In the embodiment 
described, only the content decryption component has access to the content decryption 
key which is receive using, for example, the PKI. Once received, process block 406 is 
performed. At process block 406, the content decryption component stores the 
received content decryption key within the tamper-resistant software environment of 
the content decryption component 330. Once stored, process block 408 is performed. 

[0056] At process block 408, it is determined whether the content decryption 

component 330 has received a digital signature of a static image of the secure content 
driver 320. Once received, the static digital signature of the secure content driver 320 
is stored within the tamper-resistant software environment of the content decryption 
component 330 at process block 410. At process block 412, it is determined whether 
the content decryption component 330 has received a run-time digital signature of a 
run-time image of the secure content driver 320. Once received, process block 414 is 
performed. At process block 414, the received run-time digital signature is stored 
within the tamper-resistant software environment of the content decryption component 
330. Once stored, control flow branches to process block 416 as depicted in FIG. 5. 
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[0057] Referring now to FIG. 11, FIG. 1 1 depicts a flowchart illustrating a 

method 500 for establishment of security authentication by a secure content driver 320 
in order to receive clear, decrypted content from the content decryption component 
330. At process block 502, it is determined whether the secure content driver 320 has 
received security authentication from the content decryption component 330. If 
security authentication is not received, the process terminates. Once successful 
security authentication is received, process block 520 is performed. At process block 
520, the secure content driver 320 receives access to a callback function 332. 

[0058] As described above, access to the callback function enables the secure 

content driver 320 to receive clear, decrypted content from the content decryption 
component 332. Otherwise, clear content is not received, resulting in failure to 
playback content to a requesting user. Once received, process block 522 is performed. 
At process block 522, it is determined whether the secure content driver 320 has 
received a stream of encrypted content. Once received, process block 530 is 
performed. At process block 530, the content driver 320 streams the received 
encrypted content to the content decryption component 330. Finally, at process block 
532, the secure content driver 320 will receive a stream of clear, decrypted content 
from the content decryption component 330. 

[0059] Referring now to FIG. 12, FIG. 12 depicts a flowchart illustrating an 

additional method for achieving successful security authentication from the content 
decryption component 330. At process block 506, the secure content driver 320 may 
receive a request for authorization information from the content decryption component 
330. As described above, the authorization information is, in one embodiment, a 
digital certificate issued to the secure content driver 320. Once a request is received, 
process block 508 is performed. At process block 508, the secure content driver 320 
transmits the requested authorization information to the requesting content decryption 
component 330. 

[0060] Next, at process block 5 10, it is determined whether security 

authentication is successfully established. When security authentication is established, 
process block 512 is performed. Otherwise, the process terminates. At process block 
512, the secure content driver 320 provides the content decryption component 330 with 
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a memory location wherein the secure content driver 320 program instructions are 
loaded at run-time. Finally, at process block 514, the secure content driver 320 
provides the content decryption component 330 with a function entry point 322 for 
receiving the stream of encrypted content. Once provided, control flow branches to 
process block 520, as depicted in FIG. 1 1. 

[0061] Finally, referring to FIG. 13, FIG. 13 depicts a flow chart illustrating an 

additional method 524 performed once a stream of encrypted content is received at 
process block 522, as depicted in FIG. 1 1. At process block 526, the secure content 
driver 320 receives a stream of encrypted content from a content source reader 310. 
Next, at process block 528, a content reader interface 310 directs the secure content 
driver 320, via filter switch 312, to stream the received encrypted content to the content 
decryption component 330. Once streamed, control flow branches to process block 
530, as depicted in FIG. 11. 

[0062] Accordingly, utilizing the teachings of the present invention, the content 

decryption component 320 ensures that a content driver is authenticated as a secure 
content driver 330 utilizing the various security authentication mechanisms as 
described herein. Once authenticated as a secure content driver 320, both from an 
identity standpoint and a run-time integrity standpoint, the secure content driver 320 
will stream encrypted content to the content decryption component 330, which is 
decrypted by the content decryption component 330 and then streamed back to the 
secure content driver 320 via the callback function 322. As a result, the secure content 
driver 320 may then provide the received, clear decrypted content to a content decode 
device 340. In one embodiment, the content decode device 340 is a motion picture 
expert group 2 (MPEG-2) hardware decode chip. Once decoded, the content may be 
transmitted to display 216 in order to enable playback to the user. 

Alternate Embodiments 

[0063] Several aspects of one implementation of a set-top box for providing 

secure, automated content decryption have been described. However, various 
implementations of the set-top box provide numerous features including, 
complementing, supplementing, and/or replacing the features described above. 
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Features can be implemented as part of the set-top box or as part of a computer, digital 
video receiver, cable receiver, or the like in different implementations. In addition, the 
foregoing description, for purposes of explanation, used specific nomenclature to 
provide a thorough understanding of the invention. However, it will be apparent to one 
skilled in the art that the specific details are not required in order to practice the 
invention. 

[0064] In addition, although an embodiment described herein is directed to a 

set-top box, it will be appreciated by those skilled in the art that the teaching of the 
present invention can be applied to other systems. In fact, systems for receipt of 
content streamed in a media streaming format are within the teachings of the present 
invention, without departing from the scope and spirit of the present invention. The 
embodiments described above were chosen and described in order to best explain the 
principles of the invention and its practical applications. These embodiment were 
chosen to thereby enable others skilled in the art to best utilize the invention and 
various embodiments with various modifications as are suited to the particular use 
contemplated. 

[0065] It is to be understood that even though numerous characteristics and 

advantages of various embodiments of the present invention have been set forth in the 
foregoing description, together with details of the structure and function of various 
embodiments of the invention, this disclosure is illustrative only. In some cases, certain 
subassemblies are only described in detail with one such embodiment. Nevertheless, it 
is recognized and intended that such subassemblies may be used in other embodiments 
of the invention. Changes may be made in detail, especially matters of structure and 
management of parts within the principles of the present invention to the full extent 
indicated by the broad general meaning of the terms in which the appended claims are 
expressed. 

[0066] The present invention provides many advantages over known 

techniques. The present invention includes the ability to avoid exposure of clear 
content on a set-top box, which utilizes an open environment including a standardized 
operating system, as well as standardized software environments and architectures. 
Moreover, the solution does not cause current playback solutions to be modified in any 
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way. Due to the fact that there is a given content player, no changes need to be made to 
an application user space of current set-top boxes. As a result, the present invention 
only requires modification of a kernel application space for registering a secure content 
driver with a tamper-resistant content decryption component. Accordingly, application 
development time and time to market for a set-top box utilizing the teachings of the 
present invention are minimized. 

[0067] Having disclosed exemplary embodiments and the best mode, 

modifications and variations may be made to the disclosed embodiments while 
remaining within the scope of the invention as defined by the following claims. 



